Forum Discussion
Quarantine "finger print matching" false positive
Just done my regular quarantine check on our O365 tenant and was surprised to find a couple of legit messages from an external sender which were flagged as High Confidence Phish based on finger print matching, which I understand translates to a close match to a previously detected malicious message. I can see absolutely nothing wrong with the message and it was so very business specific in its content that I cannot see that it would closely match anything else that had ever gone before. The recipient tells me they regularly exchange business emails with the sender without any issue.
When I run off a report and look at other recent messages caught by finger print matching on my tenant, they were the usual phishing emails that are probably doing the rounds globally and were correctly trapped.
Questions are:
1. Anyone know why something so highly specific in its content would be trapped in this way?
2. I feel I can't trust O365 to correctly quarantine based on this example, but High Confidence Phish is currently set to have the AdminOnlyAccessPolicy applied on my tenant - and this doesn't notify. Is there any way for a sys admin (only) to be notified by email when something goes into quarantine? I can set up a custom policy to allow RECIPIENT notification but I don't really want to involve them when messages are being correctly quarantined almost all of the time.
Ours is a non-profit tenant so I can't be sitting around watching it all day - I need it to tell me when something has happened!
Thanks for any ideas!
5 Replies
I just started dealing with this 3 days ago. Emails being sent out of an internal system, to our internal users, are all getting quarantined for this reason...tagged as high confidence phishing. I have been going back and forth with MS support for days now (as usual), trying to get this fixed and to get an explanation as to why it just started happening a few days ago. I finally received a response from their support (below)...they advised this was fixed, but I am still seeing emails being quarantined:
"I have just been informed by our team earlier this morning that they have investigated the submissions reported and verified that the shared samples were incorrectly classified as phishing (or spam/malware) by the one of our detections. Frequent adjustments to the features and scores assigned by our model to address new campaigns can sometimes result in the misclassification of Customer emails as suspicious, and we truly apologize for this inconvenience.
The issue was mitigated by identifying and marking entities related as clean, which will prevent this and other model from detecting them or learning them as bad. "
At this point, all I can is to continue to check the quarantine, submit to MS for review, release emails, then email Support back with the submission info. I have no confidence at all that this going to be resolved.
Over a year later and we are still seeing this. Particularly, on Phishing Simulation emails that are whitelisted precisely as prescribed. Other 365 tenants are NOT having this problem, with the same settings and same configuration. All that seems to be able to be done is manually going in and releasing from Quarantine. There's no 'white list' for these things, by IP, by domain, by header, or anything else. This is the same problem as 'Advanced filter' over which there seems to be no control whatsoever.
Anyone with a solution to this yet?- Seeing this also with messages being marked as spam.
- I also ran into the same issue yesterday. But the message was marked as spam using fingerprint matching. Following this issue
This is something our organization runs into as well. I would also like to know the answer to this question.
